1 



REDUNDANT INPUT/OUTPUT MANAGEMENT DEVICE, 
NOTABLY FOR DATA ROUTING 



BACKGROUND OF THE INVENTION 

5 The present invention concerns a device with built-in redundancy for 
management of inputs/outputs, notably a data routing system. It is notably 
applicable to the handling of air traffic data and, more generally, to all digital 
data input/output management systems necessitating a high level of 
operational reliability without an excessive cost premium. 

10 DESCRIPTION OF THE PRIOR ART 

Air traffic density has reached a very high level, while air safety requirements 
are becoming increasingly stringent. Modern-day air traffic management 
therefore involves the processing of large quantities of data, notably used by 
air traffic controllers and pilots. These data include a broad range of radar 
15 data, meteorological data, aircraft positions and flight plans, and instrument 
landing system (ILS) data. 

The processing of all this information requires powerful computing means. 
Among these means, the interfaces with data centers and decision-makers 
are of particular importance. These interfacing means serve notably for 
20 information routing to ensure that data finds its way to the right destinations. 
Given the very large volumes of data, the performance of these means is of 
vital importance in the global operation of an air traffic management system. 

Commercially-available equipment exists with operating systems that can 
satisfy these routing needs. For example, there is a range of products 

25 carrying the registered brand name "LINES", meaning "Link Interface Node - 
for External Systems". These modular products are designed to enable 
routing and processing of input/output messages carried on 
incoming/outgoing serial links and Ethernet networks. Standard serial links, 
using protocols such as X25, HDLC and BSC for example, can be handled, 

30 as can dedicated lines, such as special radar data transmissions protocols. 
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These so-called routers can operate with a software architecture of frontal 
processor type. They are equipped with FPBSS-type software, meaning 
"Front Processor Basic System Software". In this operating mode, the router 
is connected to a single application program. It has only one upstream 
5 function, for example routing data to the required destination. The essential 
application software is stored in one or more central computers; one router 
is required for each application. 

The performance of these routers can enhanced by using an open 
communication mode known as OCP (Open Communication Processor). In 
10 this mode, a router is connected to several applications and operates 
substantially as a data server. It is notably used to process and route the 
data from any input point to any output point. This operating mode is 
particularly suitable for air traffic management. In an air traffic management 
application, this mode notably provides the following functionalities: 

15 - black-box-type distribution of radar data to the centers, the radar data 
being received via serial interfaces and transmitted via an Ethernet 
network to an identified group of machines; such distribution is known as 
"UDP multicast"; 

autonomous conversion of messages or protocols, notably enabling 
20 conversion of message formats or specific protocols, for example ISR2 
into ASTERIX, X25 into HDLC-UI, etc.; 

retransmission of radar data via serial lines to processing circuits. 

In an air traffic management application, the operational reliability of the 
computer systems, and therefore of the routing systems is of prime 

25 importance, since the safety of passengers is at stake. For example, current 
safety standards impose that the air coverage of an air traffic control center . 
must not be interrupted more than a few seconds per year. To achieve such 
reliability, redundancy techniques must be applied, notably by duplicating 
equipment so that the functions of a machine that develops a fault can 

30 immediately be taken over by another. As a general rule, each router is 
duplicated. One problem to be handled is the hand-over of one router to 
another when the first become defective. One known solution consists in 
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providing an active router, called the master, and an inactive router, called 
the slave, with a third-party system that arbitrates the transfer of execution 
from the master to the slave. This solution is not economic mainly due to the 
need for a third-party system in addition to the redundant router. 

5 To make the system economic it is possible to eliminate the arbitrator, in 
which case a message interchange protocol must be defined between the 
master and the slave. In particular, when the master becomes defective, the 
slave no longer receives messages so it then takes over the processing. 
However, degraded operation can occur, notably where the master degrades 

10 the processed data without realizing it The master, unaware that it is 
operating defectively, does not deactivate its inputs and outputs. The slave, 
on the other hand, knows that the master is defective, but is unable to take 
control of the routing correctly, mainly due to the fact that the master has not 
deactivated its input/output ports. The system continues to operate in 

15 degraded mode, with obvious negative impact on the operational reliability. 

SUMMARY OF THE INVENTION 

One object of the invention is to reduce the costs associated with operational 
reliability, by eliminating the use of a third-party arbitration system, yet 
without degrading operation reliability, whatever types of input/output ports 
20 are used. 

For this purpose, the invention is a device for digital input and output data 
management, including first management means and second management 
means connected to each other via two interfaces, one a network and the 
other a standby line, said means mutually exchanging polling messages via 

25 these two interfaces, said first means being considered to be defective by 
said second means when they no longer sends messages during a given 
time interval on at least one of said two interfaces, characterized in that it 
includes at least one algorithm to reset said first and second means, the 
defective means being deactivated and the other means activated during the 

30 reset after detection of a failure. 



The input and output management means can be routers or data servers. 
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At start-up, the first means have for example the role of master and the 
seconds means the role of slave; the master manages the input and output 
data. To assure redundancy, the means have the same functions and 
include the same software and configuration files. 

5 When one of the means are detected as being defective by the other means, 
the latter deactivate the defective means, for example. The slave can then 
take charge of the management of the data in place of the master. 

Advantageously, the polling messages, the frequency of interchange of 
these messages, and the time limit between two successive messages are 
10 defined by parameters in a configuration file contained in each of the means, 
several sets of parameters being stored depending on the application. The 
parameters specific to an application can be loaded into RAM memory on 
initialization of the device. 

The main advantages of the invention are that it is adaptable to numerous 
15 applications and is easy to implement. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Other characteristics and advantages of the invention will become clear on 
reading the following description of a preferred embodiment, taken only as a 
non-limitative example, making reference to the attached drawings of which: 

20 - figure 1 shows an example of redundant routing system in the case 
where the input and output ports are of serial type; 

- figure 2 shows an example of redundant routing including an Ethernet- 
type communication network with client workstations. 

DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT 

25 Figure 1 presents an embodiment of a redundant routing system in the case 
where the input/output ports are of serial type. The system includes a router 
1 acting as a master router and a router 2 acting as a slave. These two 
routers have the same functions and notably include the same software and 
configuration files. A given port 3 of each router communicates via a serial 
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link with the same system 4, for example a modem. For this purpose, the 
link between the system 4 and the two routers is via a "Y-split cable" 5. A 
standby bus 6 connects the two routers 1, 2. 

When the two routers 1, 2 start up together, the master 1 activates its electric 
5 modes on its input/output ports 3 whereas the slave 2 leaves its ports 3 
inactive, in the high impedance state. This means that even if both the 
routers are configured and operative, only the master 1 communicates with 
the modem 4. In the event of failure of the master, there are two main cases 
to consider: 

10 - the master resets by placing its ports 3 in the high impedance state and 
itself becomes the slave; at the same time, the slave 2 becomes the 
master and its ports are electrically activated. This is the normal situation 
and is easily managed; 

- the master develops a fault but does not reset. The slave knows that it 
15 should become master, but the current master does not deactivate its 
ports, so there is no fail-over of one router to the other owing to a potential 
conflict between the ports 3 of the two routers. This is the most complex 
situation to be handled. 

This second situation must however be handled since it dangerously 
20 prejudices the operational reliability. In this operating mode, the master 
could process our route data incorrectly. To deal with this problem, a 
standby bus 6 is connected between the two routers, which enables a reset 
command to be sent, in other words a command sent by the slave to 
suspend the master's ports 3, after which the slave takes control. 

25 The type of redundancy architecture illustrated in figure 1 is quite suitable 
when the input/output ports involved are serial ports. However, it is. 
inadequate when the routers use a local area network (LAN), for example of 
the Ethernet type. 

Figure 2 illustrates an embodiment of a device according to the invention. It 
30 is a data routing system including two routers 1 , 2, one the master, the other 
the slave. These two routers operate in open mode (OCP). The device 
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having built-in redundancy, the two routers have the same functions and 
notably the same software and configuration files. Similarly, the inputs and 
outputs to other systems also have built-in redundancy. 

The two routers are for example connected via a network 23, for example 
5 Ethernet or Internet, to one or more remote client systems 21 , 22. They are 
moreover connected to other systems, such as modems, via serial links. A 
Y-split cable 5 connects a given port 3 of each router to the same system, 
notably to enable these two ports 3 to interchange with this system. When 
the master is active, its serial port is active whereas that of the slave is 
10 inactive, being for example in the high impedance state. 

The two routers are connected via the network 23, for example Ethernet or 
Internet, and via a standby line 24, for example a bus. By way of example 
we consider an Ethernet network 23. At start-up or on initialization of the 
device, one router 1 is the master and the other 2 is the slave. The master 

15 then manages the input and output data, and therefore routes them. During 
operation, the two routers 1, 2 mutually interchange messages known as 
polling messages. These polling messages are for example exchanged 
cyclically, in other words at regular time intervals. They are interchanged via 
the Ethernet network 23, for example using a UDP unicast-type distribution. 

20 Polling messages are also interchanged via the standby line 24. A device 
according to the invention therefore includes at least two polling message 
interchange interfaces, an interface network (for example Ethernet), and a 
communication bus 24. A polling message is sent by the slave to the master 
to check that the master is operative and not defective; the master must 

25 reply to this message. All types of polling messages can be used. The most 
simple is for example to send the master a given message and check that it 
sends its back in its integrality. Similarly, the master sends polling messages 
to the slave to check that it is operative. In this manner both the units 1,2. 
can be supervised without the intervention of third-party equipment. 

30 When the slave 2 does not receive at least one polling message in a given 
time interval on at least one of the two interfaces (the Ethernet 23 or the 
standby line 24), its program assumes that the master is defective. The 
slave then decides to become master For this purpose, it activates a "fail- 
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over" mechanism, which can have several components. It includes an 
algorithm, installed for example both in the master and the slave, which 
forces the master to reset, and more specifically to re-initialize. This 
algorithm is programmed moreover such that during this re-initialization, the 
5 slave takes control and therefore becomes active in the processing of the 
data, whereas the master remains inactive. This algorithm moreover 
provides for the suspension of the input/output ports of the master and the 
activation of the input/output ports of the slave that becomes master. A 
supervision station 25 enables for example reading of fault and failure 
10 reports sent by the master or the slave. This station 25 can moreover be 
used for other functions in the general framework of the application. The 
device includes for example means of alert to warn of a fault, to ensure that 
the defective equipment is replaced promptly. 

The algorithm which forces the reset of the master, and finally its 

15 suspension, is installed in the master, but it is activated by the slave. For 
this purpose, the slave knows the memory address of this algorithm. More 
precisely the memory address of this algorithm is stored in the slave. 
Preferably, in a symmetrical manner, the algorithm is also installed in the 
slave, for reasons of standardization of execution of the equipment, but also 

20 so that the master can completely deactivate the slave in the event of failure 
of the slave. The master therefore has access to the address of the reset 
algorithm in the slave. The reset algorithm, its address, the polling 
messages, the transmission interval between these messages, the time limit 
between two messages before fail-over, and other configuration parameters 

25 are notably stored in a configuration file contained in each router. Several 
sets of parameters can be stored in this configuration file, one for each final 
application. On initialization of the routers, the application's specific 
parameters are for example loaded into a RAM memory. The management 
of the various software layers, including the reset algorithm, and the 

30 communications between these layers are classically treated by an operating 
system, possibly associated with intermediate software layers known as 
"middleware" installed in the routers. 

The invention has been described with reference to a data routing device in 
which a standby router is provided for each router. It will be clear to 
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professionals of the art that the invention is also applicable to other means of 
input/output management, for example data servers. It is advantageously 
applicable to ail types of applications requiring a high level of operational 
reliability yet without excessive cost. Moreover, it is simple to implement 
since it is essentially software-based. 



